What you see is predictable - your setup appears to work because apache fetches the certificate from the first VH (since it can't tell which VH to use). Once it gets a cert, it can then establish an SSL sssion and so can then see inside the HTTP request. It can then see the Host header and serve up the correct VH.
However, this is not a solution for the real world because, as you observe, whenever you request the second VH, apache will use the cert from the first VH and so the browser will report a conflict. The way you have it set up leaves you vulnerable to man-in-the-middle exploits since you have lost the *authentication* aspect of SSL. This is equally as important as encryption. For example, imagine you sent your money to be bank in a armoured car, but the bank turned out just to be a front door... I guess you will say, "but it's just a lab setup, I don't care about authentication" - well that's fine, but why then do you need encryption? -----Original Message----- From: Roman Ivanov [mailto:ivanov_r@;samsung.ru] Sent: Donnerstag, 24. Oktober 2002 15:06 To: [EMAIL PROTECTED] Subject: Chicken and Egg Hello All! I've just installed modssl. I want to clarify chicken and egg problem for me. I use modssl only for internal purposes so I use 1 self maded certificate on two cites. It is not problem that certificate does not match the site name. I have in httpd.conf: <VirtualHost IP:443> ServerName A ...other directives... <VirtualHost> <VirtualHost IP:443> ServerName B ...other directives... </VirtualHost> In logs: [...] [warn] Init: SSL server IP/port conflict: A:443 (httpd.conf:...) vs. B:443 (httpd.conf:...) [...] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! But https://B works and https://A works too. Q My question is: I didn't meet chicken and egg problem here because I share one certificate between two servers? Am I right? Regards. Roman Ivanov CIS HQ SAMSUNG ELECTRONICS CO., LTD web-master TEL: +7-(095)-7972309 ICQ UIN #8160057 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
